...

Standard TLS-based https is sufficient for SHRINE.

Setting up SHRINE's Keystore in versions 3.2 and earlier was much more complex. Now SHRINE uses Tomcat's TLS-based https the way almost all other applications do. Tomcat's own documentation is insufficient but these instructions were clear .

TLS Verified https Client

New in SHRINE 4.2 - SHRINE uses TLS server verification by default for all communication between the hub and downstream nodes. Downstream nodes will be unable to communicate with the hub unless the hub is configured to use a certification that the downstream nodes can validate.

...